b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n         REVIEW OF NCUA\xe2\x80\x99S POLICIES,\n        PROCEDURES AND PRACTICES\n       REGARDING FINANCIAL STABILITY\n      OVERSIGHT COUNCIL INFORMATION\n\n              Report #OIG-12-09\n                June 27, 2012\n\n\n\n\n             William A. DeSarno\n             Inspector General\n\n\n               Released by\n\n\n\n             James W. Hagen\n          Deputy Inspector General\n\x0c                                   Table of Contents\n\n\n Section                                               Page\n\n\n    I      EXECUTIVE SUMMARY                           1\n\n   II      BACKGROUND                                  3\n\n   III     OBJECTIVE, SCOPE, AND METHODOLOGY           5\n\n   IV      OBSERVATIONS                                7\n\n             FSOC Guidance                             7\n\n             NCUA Policies and Procedures              7\n\n           CIGFO Report Findings                       9\n\n           Suggestion                                  9\n\nAPPENDIX\n\n   A       NCUA Management Comments                    10\n\n\n\n\n                                            i\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n\n\nExecutive Summary\n\nThe National Credit Union Administration (NCUA) Office of Inspector General (OIG)\nconducted an audit of NCUA\xe2\x80\x99s policies, procedures, and practices regarding Financial\nStability Oversight Council (FSOC)-related information. Our objective was to review\nNCUA\xe2\x80\x99s policies, procedures, and practices for ensuring FSOC-related information that\nit collects, shares, or deliberates is adequately protected from unauthorized disclosure.\nWe conducted this audit as part of a larger audit that the Council of Inspectors General\non Financial Oversight (CIGFO) initiated. The main component of this audit was\ncompleting a data collection instrument (DCI) provided by the CIGFO that included\nagency responses and narratives to a series of Yes or No questions. We used the\nfollowing methodologies to complete the DCI and achieve our audit objective:\n\n   \xe2\x80\xa2   Interviewed NCUA management and staff associated with FSOC activities;\n\n   \xe2\x80\xa2   Interviewed other applicable NCUA management and staff;\n\n   \xe2\x80\xa2   Reviewed NCUA Instructions, policies, procedures, and practices;\n\n   \xe2\x80\xa2   Reviewed the FSOC Memorandum of Understanding and the Rules of\n       Organization of the Financial Stability Oversight Council; and\n\n   \xe2\x80\xa2   Reviewed Memoranda of Understanding NCUA has with other FSOC member\n       agencies\n\nWhile we believe NCUA has a culture of protecting sensitive information, we determined\nNCUA\xe2\x80\x99s existing policies and procedures are not sufficiently comprehensive to help the\nagency protect confidential non-public FSOC information from unauthorized disclosure.\nSpecifically, NCUA needs to improve or supplement its policies and procedures to\naddress:\n\n   \xe2\x80\xa2   Protecting oral communication of confidential non-public FSOC information;\n\n   \xe2\x80\xa2   Inventorying or tracking FSOC information requests/responses;\n\n   \xe2\x80\xa2   Controlling access to and authorizing release of confidential non-public\n       information to FSOC, FSOC member agencies or other external parties (e.g.,\n       Congress);\n\n   \xe2\x80\xa2   Placing appropriate markings on FSOC information to identify it as containing\n       confidential information;\n\n   \xe2\x80\xa2   A central person/group to coordinate all FSOC communications;\n\n\n                                                  1\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n   \xe2\x80\xa2   Membership on FSOC committees, including authorized alternate\n       representatives and corresponding duties and responsibilities of the NCUA\n       representatives;\n\n   \xe2\x80\xa2   Identifying, controlling and monitoring who within NCUA will have access to and\n       who has accessed specific FSOC information and systems;\n\n   \xe2\x80\xa2   Handling, controlling, and protecting FSOC information during teleconferences\n       and telework sessions; and\n\n   \xe2\x80\xa2   Consequences for the breach/unauthorized disclosure of FSOC information\n\nWe provided the completed DCI to the Federal Deposit Insurance Corporation on\nApril 16, 2012 as part of the larger CIGFO audit. The CIGFO indicated that the DCI\nresults from agency IGs will be rolled-up into a consolidated CIGFO report.\n\nWe suggested in this report that NCUA management coordinate with FSOC and FSOC\nmember agencies to supplement or improve its policies, procedures, and practices.\nWhile acknowledging its existing policies and procedures are not specific to FSOC\ninformation and could be more comprehensive, NCUA management believes its\npolicies, procedures, and training are effective. NCUA management agreed to continue\ncoordinating with FSOC to implement improved policies, procedures, and practices as\nsuggested by FSOC.\n\nWe appreciate the courtesies and cooperation NCUA management and staff provided to\nus during this review.\n\n\n\n\n                                                  2\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n\nBackground\n\nOn July 21, 2010, the President signed into law the Dodd-Frank Wall Street Reform and\nConsumer Protection Act (the Financial Reform Act). The Financial Reform Act\ncreated:\n\n      \xe2\x80\xa2    The Financial Stability Oversight Council (FSOC); and\n\n      \xe2\x80\xa2    The Council of Inspectors General on Financial Oversight (CIGFO)\n\nFSOC\n\nPrior to the financial crisis, the [financial] regulatory framework focused regulators\nnarrowly on individual institutions and markets. This allowed supervisory gaps to grow\nand regulatory inconsistencies to emerge, which led to arbitrage and weakened\nstandards. No single entity had responsibility for monitoring and addressing risks to\nfinancial stability, leaving institutions across multiple markets and important parts of the\nfinancial system unregulated. The creation of the FSOC addresses these problems.\n\nFSOC membership consists of 10 voting members and five non-voting members:\n\n                        Voting Members                                      Non-Voting Members\n\xe2\x80\xa2     Secretary of the Department of the Treasury,                     \xe2\x80\xa2    Director of the Office of\n                  1\n      Chairperson                                                           Financial Research\n\xe2\x80\xa2     Chairman of the Board of Governors of the Federal                \xe2\x80\xa2    Director of the Federal\n      Reserve System                                                        Insurance Office\n\xe2\x80\xa2     Comptroller of the Currency                                      \xe2\x80\xa2    A state insurance\n                                                                            commissioner\n\xe2\x80\xa2     Chairman of the Securities and Exchange Commission               \xe2\x80\xa2    A state banking supervisor\n\xe2\x80\xa2     Chairperson of the Commodity Futures Trading                     \xe2\x80\xa2    A state securities\n      Commission                                                            commissioner\n\xe2\x80\xa2     Chairperson of the Federal Deposit Insurance\n      Corporation\n\xe2\x80\xa2     Director of the Federal Housing Finance Agency\n\xe2\x80\xa2     Chairman of the National Credit Union Administration\n\xe2\x80\xa2     Director of the Bureau of Consumer Financial Protection\n\xe2\x80\xa2     An independent member with insurance expertise\n\nThe purpose of the FSOC is to:\n\n      \xe2\x80\xa2    Identify risks to the financial stability of the United States that may arise from\n           ongoing activities of large, interconnected financial companies as well as from\n           outside the financial services marketplace;\n\n\n\n1\n    The Secretary of the U.S. Department of the Treasury chairs the FSOC.\n\n                                                          3\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n   \xe2\x80\xa2   Promote market discipline by eliminating expectations of government bailouts;\n       and\n\n   \xe2\x80\xa2   Respond to emerging threats to financial stability.\n\nThe FSOC is authorized to:\n\n   \xe2\x80\xa2   Facilitate Regulatory Coordination: The FSOC has a statutory duty to facilitate\n       information sharing and coordination among the member agencies regarding\n       domestic financial services policy development, rulemaking, examinations,\n       reporting requirements, and enforcement actions. Through this role, the FSOC\n       will help eliminate gaps and weaknesses within the regulatory structure, to\n       promote a safer and more stable system.\n\n   \xe2\x80\xa2   Facilitate Information Sharing and Collection: By statute, the FSOC has a duty to\n       facilitate the sharing of data and information among the member agencies. In\n       instances where the data available proves insufficient, the FSOC has the\n       authority to direct the Office of Financial Research (OFR) to collect information\n       from certain individual financial companies to assess risks to the financial\n       system, including the extent to which a financial activity or financial market in\n       which the financial company participates, or the financial company itself, poses a\n       threat to the financial stability of the United States. The collection and analysis of\n       this data will aid the FSOC and OFR in their shared goal of removing blind spots\n       in the financial system so that regulators will be more able to see the entire\n       landscape and be better equipped to identify systemic risks and other emerging\n       threats.\n\n   \xe2\x80\xa2   Designate Nonbank Financial Companies for Consolidated Supervision: In the\n       run up to the financial crisis, some of the nonbank firms that posed the greatest\n       risk to the financial system were not subject to tough consolidated supervision.\n       The Financial Reform Act gives the FSOC the authority to require consolidated\n       supervision of nonbank financial companies, regardless of their corporate form.\n\n   \xe2\x80\xa2   Designate Systemic Financial Market Utilities and Systemic Payment, Clearing,\n       or Settlement Activities: The Financial Reform Act authorizes the FSOC to\n       designate financial market utilities and payment, clearing, or settlement activities\n       as systemic, requiring them to meet prescribed risk management standards\n       prescribed and heightened oversight by the Federal Reserve, the Securities and\n       Exchange Commission, or the Commodities Futures Trading Commission.\n\n   \xe2\x80\xa2   Recommend Stricter Standards: The FSOC has the authority to recommend\n       stricter standards for the largest, most interconnected firms, including nonbanks,\n       designated by the FSOC for Federal Reserve supervision. Moreover, where the\n       FSOC determines that certain practices or activities pose a threat to financial\n\n\n\n                                                  4\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n        stability, the FSOC may make recommendations to the primary financial\n        regulatory agencies for new or heightened standards.\n\n    \xe2\x80\xa2   Recommend Congress close specific gaps in regulation.\n\nCIGFO\n\nThe CIGFO was established to facilitate information sharing among its Inspectors\nGeneral (IG) members; provide a forum for discussion of IG member work as it relates\nto the broader financial sector; and evaluate the effectiveness and internal operations of\nthe FSOC. The CIGFO includes the IGs of nine major government financial entities.\nThe IG of the Department of the Treasury (Treasury) is the Chairman of CIGFO, and the\nIG of the Federal Deposit Insurance Corporation (FDIC) is the Vice-Chairman of\nCIGFO. The other CIGFO members are the IGs of the remaining FSOC voting member\nagencies identified above:\n\nObjective, Scope and Methodology\n\nOn December 8, 2011, CIGFO members approved a proposal to convene a working\ngroup to review FSOC\xe2\x80\x99s control of sensitive and proprietary information. 2 The objective\nof this audit was to examine the controls and protocols that FSOC and its member\nagencies have put in place to ensure that FSOC-collected information, deliberations,\nand decisions are safeguarded from unauthorized disclosure.\n\nThe CIGFO audit indicated member agency IGs should perform audit procedures to\ncomplete a data collection instrument (DCI), comprised of a series of Yes or No\nquestions address the audit objective. As part of the larger CIGFO audit, we initiated an\naudit to review NCUA\xe2\x80\x99s policies, procedures, and practices for ensuring FSOC-related\ninformation that it collects, shares, or deliberates is adequately protected from\nunauthorized disclosure.\n\nWe were required to answer the Yes/No questions and include a narrative description of\nour results and findings. We submitted our completed DCI to the FDIC on April 16,\n2012. The CIGFO will roll the results from agency IGs into a consolidated report, which\nwill address current controls at FSOC/OFR and member agencies and plans for moving\nforward. Based on the observations from our review, we chose to issue this separate\nreport in an effort to assist NCUA in determining how to move the agency forward in\nhandling and controlling confidential non-public FSOC information and protecting it from\nunauthorized disclosure.\n\nWe conducted this review from February 2012 to June 2012 in accordance with\ngenerally accepted government auditing standards applicable to the objective and\n2\n  Pursuant to the Financial Reform Act, the CIGFO may, by majority vote, convene a working group to evaluate the\ninternal operations of the FSOC. In addition, IGs who are members of CIGFO may detail staff and resources to a\nCIGFO working group to enable it to carry out its duties.\n\n\n                                                        5\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\nscope of the survey defined in the CIGFO\xe2\x80\x99s February 2012 Survey Program. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective.\n\nConsistent with the standards provided by the CIGFO, we obtained and incorporated\nthe views of responsible agency officials into the results of our work. We also\nperformed appropriate quality control procedures, such as indexing and referencing,\nconsistent with our internal policies and procedures to ensure the reliability of our\nresults.\n\nTo determine whether NCUA has policies, procedures, and practices for ensuring\nFSOC-related information that it collects, shares, or deliberates is adequately protected\nfrom unauthorized disclosure, we:\n\n   \xe2\x80\xa2   Interviewed NCUA management and staff associated with FSOC activities;\n\n   \xe2\x80\xa2   Interviewed other applicable NCUA management and staff;\n\n   \xe2\x80\xa2   Reviewed NCUA Instructions, policies, procedures, and practices;\n\n   \xe2\x80\xa2   Reviewed the FSOC Memorandum of Understanding and the Rules of\n       Organization of the Financial Stability Oversight Council; and\n\n   \xe2\x80\xa2   Reviewed Memoranda of Understanding NCUA has with other FSOC member\n       agencies\n\nWe did not use any computer-processed data during the course of this audit.\n\n\n\n\n                                                  6\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\nObservations\n\nDuring our review, we observed that NCUA generally has a culture of protecting\nsensitive information. In reviewing the responses to the DCI, we determined that FSOC\nprovides and NCUA has limited comprehensive policies or procedures that would help\nthe NCUA adequately handle and control confidential non-public FSOC information,\nanalyses, or information from deliberations (FSOC information) and protect that\ninformation from unauthorized disclosure.\n\nFSOC Guidance\n\nWe determined that while FSOC guidance 3: (1) defines confidential non-public\ninformation; and (2) provides general overall policy that (a) all reasonable efforts must\nbe made to protect such information, and (b) members shall maintain and protect non-\npublic data/reports in a confidential manner, the FSOC guidance does not delineate any\nspecific procedures or methods that NCUA could use to guide it in handling, controlling,\nor protecting oral, hardcopy, or electronic FSOC information received from or provided\nto the FSOC or its member agencies.\n\nNCUA Policies and Procedures\n\nWe determined that overall, NCUA\xe2\x80\x99s existing policies and procedures do not address\nkey items as posed by the CIGFO in its DCI that if addressed, would provide NCUA with\ncomprehensive guidelines and controls to protect confidential FSOC information. We\nidentified NCUA policies that either include many controls or that could be improved to\ninclude controls for guiding NCUA in its efforts to protect confidential FSOC information.\nSpecifically, we reviewed: (1) NCUA\xe2\x80\x99s Rules of Behavior; and (2) NCUA\xe2\x80\x99s Instruction\nregarding Security of External Party\'s Documentation (NCUA Instruction No. 13500.09,\nMarch 25, 2008):\n\n    \xe2\x80\xa2   Rules of Behavior. NCUA\xe2\x80\x99s FSOC representatives and other NCUA staff\n        indicated they believe the Rules of Behavior applies in regard to providing policy\n        and procedure for protecting confidential FSOC information. However, we\n        determined the Rules of Behavior does not adequately or comprehensively\n        address handling, controlling, or protecting confidential information. Specifically,\n        it:\n\n        o Focuses on: (a) protecting sensitive Personally Identifiable Information; and\n          (b) computer/network/software security;\n\n        o Provides only a limited definition of confidential information (i.e., "When using\n          electronic share and loan data during an AIRES exam, you must treat this\n          data as confidential."); and\n3\n  The FSOC \xe2\x80\x98Memorandum of Understanding Regarding the Treatment of Non-Public Information Shared Among\nParties Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act\xe2\x80\x99 (effective April 15, 2011); and\nthe \xe2\x80\x98Rules of Organization of the Financial Stability Oversight Council\xe2\x80\x99.\n\n                                                         7\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\n\n       \xe2\x80\xa2   Does not include any policy or procedures for protecting confidential\n           information \xe2\x80\x93 whether oral, hardcopy or electronic\n\n   \xe2\x80\xa2   Security of External Party\'s Documentation. This Instruction includes applicable\n       policies and procedures that NCUA could use in handling and controlling\n       confidential FSOC information and protecting that information from unauthorized\n       disclosure. Specifically, it provides policies and procedures for securing\n       electronic and hardcopy materials that contain information about or are acquired\n       from credit unions or any other parties external to NCUA.\n\nBased on our review of FSOC\xe2\x80\x99s guidance and NCUA\xe2\x80\x99s policies and procedures, we\ndetermined NCUA lacks guidance, or policies, and procedures to specifically address\nthe following items:\n\n   \xe2\x80\xa2   Protecting oral communication of confidential non-public FSOC information;\n\n   \xe2\x80\xa2   Inventorying or tracking FSOC information requests/responses;\n\n   \xe2\x80\xa2   Controlling access to and authorizing release of confidential non-public\n       information to FSOC, FSOC member agencies or other external parties (e.g.,\n       Congress);\n\n   \xe2\x80\xa2   Placing appropriate markings on FSOC information to identify it as containing\n       confidential information;\n\n   \xe2\x80\xa2   A central person/group to coordinate all FSOC communications;\n\n   \xe2\x80\xa2   Membership on FSOC committees, including authorized alternate\n       representatives and corresponding duties and responsibilities of the NCUA\n       representatives;\n\n   \xe2\x80\xa2   Identifying, controlling and monitoring who within NCUA will have access to and\n       who has accessed specific FSOC information and systems;\n\n   \xe2\x80\xa2   Handling, controlling, and protecting FSOC information during teleconferences\n       and telework sessions; and\n\n   \xe2\x80\xa2   Consequences for the breach/unauthorized disclosure of FSOC information\n\n\n\n\n                                                  8\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\nCIGFO Report Findings\n\nThe CIGFO issued the report \xe2\x80\x93 Audit of the Financial Stability Oversight Council\xe2\x80\x99s\nControls over Non-Public Information - on June 22, 2012. The CIGFO concluded that it\nwould be beneficial for the FSOC to examine differences in member agencies\xe2\x80\x99 control\nenvironments and determine whether those differences pose a risk of unauthorized\ndisclosure that it would need to address FSOC-wide. In addition, the CIGFO report\nsuggested that the FSOC might identify best practices among member agencies that\nwould be of benefit to the FSOC as a whole.\n\n\nSuggestion\n\nWe believe NCUA should coordinate with FSOC and FSOC member agencies to\nsupplement or improve its policies, procedures, and practices to help ensure the agency\nadequately handles and controls confidential non-public FSOC information and protects\nthat information from unauthorized disclosure.\n\nAgency Response: NCUA management believes its existing policies, procedures, and\ntraining are effective. However, NCUA management also acknowledges the policies\nand procedures are not specific to FSOC information and could be more\ncomprehensive. NCUA management: (1) agreed to continue coordinating with FSOC to\nimplement improved policies, procedures, and practices as suggested by FSOC; and\n(2) indicated this coordination will enhance NCUA\xe2\x80\x99s existing efforts to ensure the\nprotection of non-public information, especially confidential, FSOC-related information.\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x99s planned action.\n\n\n\n\n                                                  9\n\x0cReview of NCUA\xe2\x80\x99s Policies, Procedures and Practices Regarding Financial Stability Oversight Council\nInformation\nOIG-12-09\n\nAppendix A \xe2\x80\x93 NCUA Management Comments\n\n\n\n\n                                                  10\n\x0c'